[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian PHP upgrade

Hi Philip

Thank you very much for your response.


On 2015/03/25, 4:28 PM, "Philip Hands" <phil@hands.com> wrote:

>Andile Ntebe <ANtebe@Acceleration.biz> writes:
>> Hi
>> Im not sure why Gareth said PHP, I’m referring to Apache 2.2.22.
>> The below vulnerabilities seem to affect this version:
>You seem not to have noticed that Debian fixes security issues in stable
>versions of our packages, so you're comparing the version that Apache
>would tell you is vulnerable without noticing the faxes that have been
>applied since then by the Debian security team.
>I suggest that you take your list of CVEs and see if any of them are not
>mentioned as having been fixed in the Debian changelog:
>  http://metadata.ftp-master.debian.org/changelogs//main/a/apache2/apache2_2.2.22-13+deb7u4_changelog
>(I'm guessing that if you've been upgrading as hard as you can, and
>still have 2.2.22 then you're using Debian 7, a.k.a "wheezy" -- look in
>/etc/debian_version where you should see "7.8")
>Anyway, you need to note that the Debian version of Apache that you are
>running is not 2.2.22, but rather 2.2.22-13+deb7u4, so that is the 13th
>version of the package that's been built by the package maintainer, many
>of which added fixed for CVEs, taking us to version 2.2.22-13, followed
>by four more uploads that backport fixes to Debian 7  (deb7u1..deb7u4)
>each of which adds more CVE fixes.
>Upgrading to the latest version of something to fix security bugs
>carries with it the potential to introduce new unexpected behaviours,
>and that may result in things breaking, which is why we backport
>security fixes instead of just asking everyone to upgrade and hoping for
>the best.
>> Is there a way for us to update to the latest version?
>There certainly is -- you can choose to run our testing or unstable
>branches, rather than stable, but hopefully now you know why you should
>not be fretting about this.
>Cheers, Phil.
>|)|  Philip Hands  [+44 (0)20 8530 9560]  HANDS.COM Ltd.
>|-|  http://www.hands.com/    http://ftp.uk.debian.org/
>|(|  Hugo-Klemm-Strasse 34,   21075 Hamburg,    GERMANY

Reply to: